GBHackers

GigaWiper Uses OneDrive Update Scheduled Task for Persistent Destructive Access


A sophisticated Golang-based backdoor family now tracked as GigaWiper that fuses extensive C2 controls with multiple destructive payloads.

What makes GigaWiper noteworthy is not merely its destructive capacity but how it packages several formerly separate wipers and extortion tools into a single modular implant.

That consolidation enables operators to switch destruction modes on demand physical-disk wipes, fake ransomware that renders files unrecoverable, multi-pass secure wiping while maintaining persistent, remotely controlled access.

One persistence mechanism observed is deceptively simple: the implant creates a scheduled task named “OneDrive Update” and uses a registry key at HKCUSOFTWAREOneDriveEnvironment to track executions.

On first run it writes the key and creates the OneDrive Update scheduled task, configured to run every minute and at startup.

Subsequent runs detect the registry value, increment it, and behave as an expected scheduled-task child process an operational choice that reduces suspicion and leverages a trusted Windows scheduler for persistent destructive access.

The standalone component actively enumerates physical disks via WMI, identifies the Windows installation drive, removes partition metadata from non‑system drives using DeviceIoControl (IOCTL_DISK_CREATE_DISK), overwrites raw disk sectors in large chunks with randomized-first-byte buffers, and forces an immediate restart.

Embedded within the backdoor as command 1 (WipeMain) is identical functionality, while command 12 (WipeCMain) offers a C-drive–only, multi-pass secure wipe.

A third destructive command reproduces Crucio-derived logic: a “ransomware” routine that AES-CBC encrypts files with randomly generated keys that are never saved, renames victims’ files with a .candy extension, and drops no viable recovery path functionally a wiper masquerading as extortion.

Microsoft Threat Intelligence identified that GigaWiper appears in two primary sample forms: compact standalone wipers and larger Golang PE backdoors that subsume the standalone code as commands.

GigaWiper Uses OneDrive Update

C2 and operational telemetry are robust. GigaWiper uses RabbitMQ over AMQP for command distribution and Redis for status and output reporting.

The wiper’s main.main routine implemented in the backdoor as the rabbit_tools_tool_wipe_main.WipeMain function.

The implant decrypts a hard-coded AES-protected configuration containing C2 endpoints and credentials; observed infrastructure included addresses like 185.182.193[.]21 on nonstandard ports.

Left: Standalone wiper functions. Right: The same wiper functions replicated in the backdoor (Source : Microsoft).

The RabbitMQ design uses a fanout exchange named “All” for broadcast commands and a topic exchange “Topic” for targeted tasks, with commands modeled as structured Task and Result objects.

This messaging approach scales control across many infected hosts while enabling per-host targeting when required.

Beyond wiping and fake-ransom features, GigaWiper implements broad remote‑access and system‑management capabilities: process and service management, registry navigation and persistent sessions, file upload via the MinIO client, screenshotting and screen recording, keylogger and VNC-like remote control, event-log clearing.

Image dropped by backdoor and set as the wallpaper (Source : Microsoft).
 Image dropped by backdoor and set as the wallpaper (Source : Microsoft).

Code overlap and shared strings link GigaWiper to at least three prior families: a standalone wiper, Crucio-like extortion code (BigBangExtortMain), and FlockWiper, the latter reimplemented from C into Golang access for inclusion as WipeCMain.

PDB path artifacts referencing “GRAT” further tie these components together and suggest a common developer or framework across iterations.

Defenders should prioritize blocking the identified C2 infrastructure, enforcing tamper protection and always-on EDR, and preventing unauthorized Scheduled Task creation and registry modifications from nonprivileged contexts.

Microsoft published detections and mitigations in its GigaWiper advisory and Defender telemetry; organizations should map those indicators to network and endpoint controls and enable cloud-delivered protections to catch evolving variants.

The GigaWiper campaign underscores a shift: destructive tooling is migrating from single-purpose wipes to modular, remotely orchestrated platforms that combine stealthy persistence such as a “OneDrive Update” scheduled task with the ability to weaponize multiple, interchangeable wiping techniques on demand.

Indicators of compromise

IndicatorTypeDescription
633d4cbd496b1094495da89a64f5e6c31a0f6d4d1488411db5b0cba1cfe42001SHA-256GigaWiper backdoor
ce9ad5f6c12019f4aae5b189bd8ddf5bb09e75b06a0a587b25a855c65948c913SHA-256GigaWiper backdoor
f622ed85ef31ad4ab973f4e74524866fe1bb44f0965ad2b2ad796cd657a05bfdSHA-256GigaWiper backdoor
9706a192e2c1a1faaf0a521daf31c2af60ff4590e3f47bbb4abc227f42af0683SHA-256GigaWiper backdoor
3c30deb6556a94cfb84ae51798f4aecfae8c7358e55fdb321c5f2376579631cdSHA-256GigaWiper standalone wiper
440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3SHA-256Crucio
12c39f052f030a77c0cd531df86ad3477f46d1287b8b98b625d1dcf89385d721SHA-256FlockWiper
db41e0da7ab3305be8d9720769c6950b4dc1c1984ef857d3310eb873a0fc7674SHA-256FlockWiper
185.182.193[.]21IP addressGigaWiper C2
212.8.248[.]104IP addressGigaWiper C2

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor Checklist – Download Free AI SOC SLA Guide



Source link